asp.net - Is this LINQ statment vulnerable to SQL injection? -

is linq statment vulnerable sql injection?

var result = b in context.tests     b.id == inputtextbox.text     select b; 

where context entity , tests table. i'm trying learn linq , thought benefit of wasn't vulnerable sql injection, stuff i've see has said differently. need parametrize linq statement make safer? if so, how?

also considered linq sql or linq entities?

short answer: linq not vulnerable sql injection.

long answer:

linq not sql. there's whole library behind scenes builds sql expression trees generated compiler code, mapping results objects—and of course takes care of making things safe on way.

see linq sql faq:

q. how linq sql protected sql-injection attacks?

a. sql injection has been significant risk traditional sql queries formed concatenating user input. linq sql avoids such injection using sqlparameter in queries. user input turned parameter values. approach prevents malicious commands being used customer input.

internally, means when linq sql queries database, instead of using plain values, passes them sql parameters, means can never treated executable code database. true (if not all) orm mappers out there.

compare these 2 approaches (totally pseudo-code):

string name = "' ; drop database master  --" run ("select * authors name = '" + name + "'") // oops!  // we'd better use parameters sqlparameter name = new sqlparameter ("@name", "' ; drop database master  --") run ("select * authors name = @name", name) // pretty safe 

i suggest dive deeper linq statements mean , when , how translated real sql. may want learn linq standard query operator translation, deferred execution, different linq providers et cetera. in case of linq, abstraction technology, both fascinating , incredibly useful know what's happening behind scenes.

p.s. everytime see question sql injection can't remember webcomic.